diff --git a/flake.lock b/flake.lock index 334fb61..e4c83c5 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,28 @@ { "nodes": { + "agenix": { + "inputs": { + "darwin": [], + "home-manager": [], + "nixpkgs": [ + "nixpkgs" + ], + "systems": "systems" + }, + "locked": { + "lastModified": 1723293904, + "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=", + "owner": "ryantm", + "repo": "agenix", + "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, "disko": { "inputs": { "nixpkgs": [ @@ -7,11 +30,11 @@ ] }, "locked": { - "lastModified": 1734343412, - "narHash": "sha256-b7G8oFp0Nj01BYUJ6ENC9Qf/HsYAIZvN9k/p0Kg/PFU=", + "lastModified": 1735048446, + "narHash": "sha256-Tc35Y8H+krA6rZeOIczsaGAtobSSBPqR32AfNTeHDRc=", "owner": "nix-community", "repo": "disko", - "rev": "a08bfe06b39e94eec98dd089a2c1b18af01fef19", + "rev": "3a4de9fa3a78ba7b7170dda6bd8b4cdab87c0b21", "type": "github" }, "original": { @@ -22,11 +45,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1734623593, - "narHash": "sha256-iA3kxtbds7yOc77oRBz2On9ZmOVI/1Pic+YQtYUyIsg=", + "lastModified": 1735444284, + "narHash": "sha256-U0Vw+ZrjbfvmHqeyJKM7lXZWUXIYdaOa32VtNKkfKo8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "8af52ff6ba2ed83047881e877718db3bb02fad85", + "rev": "cf802984d6b41ea45044455724d5835a4f5fcf81", "type": "github" }, "original": { @@ -38,9 +61,25 @@ }, "root": { "inputs": { + "agenix": "agenix", "disko": "disko", "nixpkgs": "nixpkgs" } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index e502406..c6e0123 100644 --- a/flake.nix +++ b/flake.nix @@ -8,6 +8,15 @@ url = "github:nix-community/disko"; inputs.nixpkgs.follows = "nixpkgs"; }; + + agenix = { + url = "github:ryantm/agenix"; + inputs = { + nixpkgs.follows = "nixpkgs"; + home-manager.follows = ""; + darwin.follows = ""; + }; + }; }; outputs = diff --git a/hosts/hydra/default.nix b/hosts/hydra/default.nix index fa020f5..e22744d 100644 --- a/hosts/hydra/default.nix +++ b/hosts/hydra/default.nix @@ -1,22 +1,23 @@ { ... }: { kropcloud = - let - serverIp = "192.168.1.160"; - in { - services = { - hydra = { - enable = true; - listenHost = serverIp; - port = 3000; + let + serverIp = "192.168.1.160"; + in + { + services = { + hydra = { + enable = true; + listenHost = serverIp; + port = 3000; + }; + }; + networking = { + ipv4 = { + address = serverIp; + prefixLength = 24; + defaultGateway = "192.168.1.1"; + }; }; }; - networking = { - ipv4 = { - address = serverIp; - prefixLength = 24; - defaultGateway = "192.168.1.1"; - }; - }; - }; } diff --git a/lib.nix b/lib.nix index a214747..9a2b1f4 100644 --- a/lib.nix +++ b/lib.nix @@ -22,8 +22,8 @@ }; } ) - inputs.disko.nixosModules.disko + inputs.agenix.nixosModules.agenix ]; specialArgs = { inherit inputs; diff --git a/nixosModules/services/hydra/default.nix b/nixosModules/services/hydra/default.nix index ee09fc4..7343a79 100644 --- a/nixosModules/services/hydra/default.nix +++ b/nixosModules/services/hydra/default.nix @@ -32,7 +32,11 @@ in services.hydra = { enable = true; useSubstitutes = true; - hydraURL = if (cfg.hydraURL != null) then cfg.hydraURL else "http://${cfg.listenHost}:${builtins.toString cfg.port}"; + hydraURL = + if (cfg.hydraURL != null) then + cfg.hydraURL + else + "http://${cfg.listenHost}:${builtins.toString cfg.port}"; notificationSender = "hydra@localhost"; listenHost = cfg.listenHost; port = cfg.port; diff --git a/nixosModules/users/default.nix b/nixosModules/users/default.nix index ffb152c..9add441 100644 --- a/nixosModules/users/default.nix +++ b/nixosModules/users/default.nix @@ -17,8 +17,12 @@ in }; config = { + + age.secrets.mypassword.file = ../../secrets/mypassword.age; + # Define the admin user users.users.${cfg.user} = { + passwordFile = config.age.secrets.mypassword.path; isNormalUser = true; extraGroups = [ "wheel" ]; openssh.authorizedKeys.keys = cfg.sshKeys; diff --git a/secrets/mypassword.age b/secrets/mypassword.age new file mode 100644 index 0000000..efc4185 --- /dev/null +++ b/secrets/mypassword.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 5k28aQ KviGGE6dIqfoveCUfwkHUjGbKiOJZSMMuvXGAek8WR4 +VEWhiHssX0z1o6TEt7OBMOg/lhrL7R6sKxbJFJwdYMo +-> ssh-ed25519 gyQF0A pMPG63ezxmpG/tB6uEo1mLJvhcR9s/+4WwXxdxlIXG4 +tWfIhKt8/cWpZhvqbpALaDU8tjyvHhN6cpfazEhIkXw +--- 6iqyysXgmUhpSKKTBzWTABlWGY3CaY+DlcsFRgF7Bfk +ö4GyeIÛ´—çÅ®[(¦ª<ƒ¥á›>HlÐ=£?g…’´7ÞD \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix new file mode 100644 index 0000000..996e84f --- /dev/null +++ b/secrets/secrets.nix @@ -0,0 +1,15 @@ +let + wenar-nix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJl0Rdo2kHliBeIiPuiO4kYO5M0VZFNXw4siepV1p6Pj"; + users = [ + wenar-nix + ]; + + test-server = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID4ioqiTzYe6Y6H0YfFkWyDBbCB25wYs3gKNZIufE/Sn"; + systems = [ + test-server + ]; + allKeys = users ++ systems; +in +{ + "mypassword.age".publicKeys = allKeys; +}